Privacy policy

This website privacy policy template has been designed to help website owners comply with European Union and United Kingdom data protection legislation, including the General Data Protection Regulation (GDPR).

The policy covers all the usual ground: the categories of personal data that are collected, the purposes for which that personal data may be used, the legal bases for processing, the persons to whom the personal data may be disclosed, international transfers of personal data, the security measures used to protect the personal data, individual rights and website cookies.

First published in 2008, this policy and its antecedents have been used on hundreds of thousands of websites. It was updated during 2017 and 2018 to reflect the GDPR and the developing regulatory guidance from the EU and UK data protection authorities. This template was last updated on 25 April 2018.

If you're new to data protection law, then before downloading the policy you might want to review the questions and answers below, which provide a introduction to both the legal and practical issues around the use of privacy policies.

*If you use this free privacy policy, please retain the attribution / credit for SEQ Legal. If you purchase the policy via this link, you will get a copy of the policy without the credit / attribution.

Why do I need a privacy policy?

The law probably requires that you publish a privacy policy (or similar document) on your website.

Ask yourself this: do I collect or use personal data for non-personal / non-household activities in relation to my website?

If you do, EU and UK data protection law require that you provide information to individuals about how you use their data. The usual way of providing that information is via a privacy policy.

The key pieces of legislation include the GDPR and, in the UK, the Data Protection Act 2018. But these legislative requirements are not the only considerations in play. There are at least three other reasons to publish a privacy policy on your website.

First, your contracts with services providers may require that you publish an appropriate privacy policy. For example, the Google Analytics terms and conditions require that you "have and abide by an appropriate Privacy Policy ... You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect data. You must disclose the use of Google Analytics, and how it collects and processes data."

Second, a clear and open privacy policy will help you to build trust with some of your users. Users may refuse to register with a website if they aren't confident that their personal data will be protected. Just as bad, they may provide unreliable information when doing so.

Third, one of the key functions of many websites is the projection of a serious and professional image. A website without the necessary legal documentation may have a negative effect on the image of the business behind it.

This website privacy policy template has been drafted with all of these goals in mind, although the legal compliance requirements are overriding.

Should I use a template or ask a lawyer to prepare a policy for me?

Data protection law is not straightforward. Indeed, since the coming into force of the GDPR, it is difficult for many organisations to be confident that they comply.

Ideally, all privacy policies would be prepared by, or under the supervision of, experts in data protection law. But data protection expertise can be expensive: you might pay anything from £500 to £5,000 or more for a UK data protection lawyer to prepare a privacy policy.

As with many business investments in legal services, you will need to balance the risks of a DIY approach against the costs of using a professional. In general, you should always use a professional if there are significant amounts of money at stake or material risks of liability.

Is this the right template privacy policy for me?

A legal template is both never and always potentially suitable for a particular job. Never suitable because adaptation is always needed; always potentially suitable because, with enough adaptation, one document can be transformed into any other document.

That said, some jobs will require more adaptation than others, and sometimes the adaptations will require specialist legal knowledge.

You should only use this template in relation to the following purposes if you are confident that you can make the necessary adaptations:

the personal data of minors;

sensitive personal data / special categories of personal data;

large-scale processing of personal data;

any complex or unusual personal data processing; and

any personal data processing that is likely to have a significant impact on individuals' rights and freedoms.

What information should I provide in my privacy policy?

The core disclosures required by the GDPR are set out in Articles 13 and 14.

Article 13 sets out the information that must be provided where personal data are collected from the individual. Article 14 sets out the information that must be provided where personal data are collected from some other source.

The main categories of information are:

identity and contact information of the controller;

where personal data is not collected from the individual, the source and nature of that data;

the purposes of the processing;

the legal bases for the processing, including details of applicable legitimate interests;

the recipients or categories of recipients of the personal data;

details of international transfers of personal data that require legal protections, and details of those protections;

the periods for which the personal data will be stored, or at least the criteria used to determine those periods;

individuals' legal rights with respect to their personal data;

whether the provision of personal data is a legal requirement;

the existence of automated decision-making, including profiling.

Our privacy policy template has been designed to help you to disclose the necessary information.

Should information about cookies be included in the privacy policy or elsewhere?

There's a degree of overlap between the laws relating to cookies and those relating to the processing of personal data: cookies may themselves contain personal data; and even where cookies don't themselves contain personal data, the reading of cookies will often result in the linking of cookie data to other personal data held by the operator.

Because of this overlap, it is common to include cookie disclosures in a privacy policy, and this template does include relevant disclosures – although not in so much detail as in our premium privacy and cookie policy templates.

The key legal instruments currently applicable to cookies are:

across the EU, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications); and

The latter is the UK's implementing legislation for the former. The consolidated version of the UK regulations is not available on the legislation.gov.uk website and the text of the relevant Regulation (No 6) has been updated since 2003 – so use with care.

New legislation on cookies is currently going through the EU legislative process, but this is not expected to become law until 2020 at the earliest.

In addition to the information disclosure requirements, you may need to get user consent to cookies. This privacy policy template includes an optional statement to the effect that users consent to the use of cookies. However, this will not alone satisfy the cookies consent requirement under the cookie laws.

How do I edit the privacy policy?

After you have downloaded the policy, you will need to open it in your word processing software for editing.

The first thing you should decide is how to categorise the personal data that you process. Your categorisation should reflect how data is handled in practice. For example, you might differentiate between analytics data, enquiry data, customer relationship data and transaction data. The template privacy policy includes a suggested categorisation.

With respect to each of your categories of personal data, you will need to determine the purposes for which the data is processed and - this is often the hard bit - the legal basis for processing. Possible legal bases are individual consent, the performance of a contract, and your legitimate interests.

You will also need to identify recipients or categories of recipients, as well as relevant data retention periods.

Guidance notes are included in the template to help with the editing process.

After editing, you should add the privacy policy text to your website, either via your content management system or directly after converting it to HTML.

Why is your privacy policy is longer / more complicated than some other policy templates?

This policy is intended to be easy to use, but data protection law in general and the GDPR in particular are difficult to use.

Data protection law is necessarily built of abstractions, but some of the abstractions at the heart of the GDPR do not map easily onto the real world. The European Data Protection Board (EDPB) has produced voluminous guidance on the application of the GDPR, but the very existence of this guidance highlights the problem. If the law was clear, the guidance wouldn't be needed. In many cases, the guidance either overreaches or dodges the difficult issues.

Another reason for the length of our templates is that … they are templates. They are intended to be edited before use, and it is much easier to delete unwanted provisions from a template than to add novel provisions. After you have finished editing our template, it should be materially shorter than when you started.

If you do plan to use a simpler template from another website, you should take care to ensure that it covers all the necessary ground. If you can create a privacy policy from a template in a few minutes, there may well be something wrong with the template.

What other privacy and cookies documents are available?

We supply a range of privacy and cookie documents on our ecommerce websites, Website Contracts and Docular.

Title

Description

Get the document on...

Cookies policy

A simple policy covering cookies disclosures.

Privacy policy

A short-form privacy policy for data protection disclosures, identical to this policy except that it omits the SEQ Legal credit.

Privacy and cookies policy

A document combining the provisions of our privacy policy and cookies policy.

Do I also need a data protection or GDPR policy?

"Privacy policy" is not a term of art.

Documents with the same function will sometimes be called "privacy notices", "data protection statements", "personal data processing policies", "GDPR policies" - or something different entirely.

Worse, there is a different type of document that shares the same pool of possible names.

Whilst our free privacy policy is concerned with the disclosure of information about personal data handling, this other type of document is concerned with specifying the policies and procedures that regulate how employees and non-employed personnel conduct themselves in relation to personal data handled by the organisation. This other type of document will typically form part of a staff handbook and/or the set of policies provided to freelances and other subcontractors engaged by the organisation to provide services.

I usually refer to this other type of document as a "data protection policy" – but don't assume that other professionals will do so.

In most cases, you will want to keep these documents separate.

Do I need a data processing agreement?

A privacy policy is concerned with an organisation's role as a controller of personal data; whereas a data processing agreement is concerned with an organisation's role as a processor of personal data.

This distinction can be confusing and tricky to apply.

Both controllers and processors process personal data. Just because you are processing personal data, that doesn’t make you a processor. You might be a processor, but equally, you might be a controller. Confused yet?

The distinction is tricky to apply because the definitions are highly abstract. A controller is defined as a person who determines the purposes and means of processing personal data. A processor is a person who processes personal data on behalf of a controller. In practice, the determination of purposes is more significant than the determination of means.

An example might help. A business providing website hosting services would usually be a processor with respect to personal data contained in the website databases of its customers. It would, however, usually be a controller with respect to personal data contained in its customer relationship management system. For some classes of data – for example, data collected when providing support services to customers – the correct classification may not be clear.

In any case, if you are a processor, then the GDPR requires that you enter into a specific set of contractual clauses with your controller. A data processing agreement is a document that contains those clauses, sometimes elaborating and/or supplementing them. Processors should not produce privacy policies with respect to that data because the production of a privacy policy is the responsibility of the controller.

Summary of free document licensing terms

By downloading a free legal document available on this website, you accept and agree to our terms and conditions. The main terms of the licence in the terms and conditions are as follows.

Unless you have paid for the right to use the relevant document without the included credit (attribution) text, you must retain the credit in the free legal document.

Subject to this point, you may edit and amend the documents to render them suitable for your purposes.

You must not sell or re-distribute the free legal documents or derivatives thereof.

We give no warranties or representations concerning the free legal documents, and accept no liability in relation to the use of the free legal documents.

I am starting a website which will contain free downloadable educational resources. Visitors to the site do not need to sign up to download nor provide their name. There is no comment or feedback section. The purpose of the website is just to share resources that people could use. Do I still need a privacy policy? If so I am not sure what other data collection I need to disclose as I am not asking for any information. I am assuming the privacy policy may need to contain information about third party plugins or cookies.

Strictly (but subject to certain exceptions) you need to provide information to data subjects about how you handle any personal data that you collect and use in the course of your business. In the case of this type of limited functionaltiy website, possible sources of personal data are: (i) website analytics systems (not all of this will be personal data, but some may be); and (ii) any communications you receive from users, eg via email. If the website uses "non-necessary" cookies (whether yours or from a third party), you should also be disclosing information to users about those cookies. All these disclosures are usually contained in a privacy and/or cookies policy.

I'd need to know a little more about the blog before commenting on this. Can you give me an idea of the type of content that would be included in the blog, and also whether there is any non-blog functionality on the website?

I am quite confused with the privacy thing in general. We are lettings agency and we just had our website created and I believe we need a privacy policy license. How do we obtain it? And how do I put it on our website?

1. You can download this document (click the button above) and use it free of charge, providing you retain the section in the document that credits us as the source of the document ("This policy is based on a template published by SEQ Legal...").

2. If you want to project a more professional image, you can buy a licence to use this template without the credit text, here:

Thank you for your response. So just to clarify, as long as we have this document dispayed on our website and we a registered with Information Commisioners office, we are compliant with the privacy policy act? What about cookies? Do we need that poping up in our website too? Many thanks for your help!

No, a template will never guarantee compliance. It's merely a tool. To ensure compliance you or a professional adviser needs to understand both the legislation and your business and then make the relevant disclosures and handle any other compliance points, including the best way to get consent for the use of cookies.

Hello, I am developing a good game for Android that integrates some Facebook plugins and ask for some permissions (user profile, name, picture and publish permissions). Facebook requires that my app have a web page and in that web page should be the privacy policy (this web page is created via wix.com).

I can never say that a template will alone be good enough. In legal terms, a privacy policy being "good enough" means enabling the business in question to comply with all relevant data protection / privacy disclosure laws. The information that needs to be disclosed by a business will vary from case to case. For example, the geographical location of your service providers might affect this. A template cannot know anything about your business, so cannot ensure compliance. You should take legal advice if you want to ensure compliance and you don't know how to do this yourself.

I have an Android mobile app that accesses the camera and so as such Googles terms require that I have a privacy policy. I store no information from the camera between sessions so this is just a requirement of compliance with Google as I don't store or use any personal information. Would you have a template to cover such situations? I think this would be very useful to many.

PermalinkSubmitted by German (not verified) on Mon, 15/05/2017 - 21:06

Hello, i just launched the website of my record label, a net label. Mainly I'll be offerening music distribution, remix and mastering and a promotion blog where people and artists will submit their music, photos, links of their social media, links to videos, biography, information about the artist like name, country, age.

I'm not registered as an offical company as I'm just starting and maybe in a future I will start as self employed. So basically I'm like a sole trader where I will be in charge of all the website management and deciding which artists I will be promoting. I download the privacy policy but in some points I dont have the information like:

15.2 We are registered in [England and Wales] under registration number [number], and our registered office is at [address].

Section 15.3 however should be retained. You presumably however still have an address from which you conduct the business, even if this is your home address. You should also include your name "Joe Bloggs trading as XYZ" in the legal docs, so that users and customers can identify who they are dealing with.

Good day, I'm based in South Africa and I'm working on developing a music website that will serve all music fans all over the world. I want to know which policy I can use or download for the site. Does it only works for Europe citizens only?

Our documents are all designed to help compliance with English law (including EU law as applicable/implemented in the UK). As your business is based in SA, you should start with documents designed to help with SA law.

(However, in some circumstances you may also need to comply with foreign law.)

The SEQ licence allows you to do this, but you may need to ensure that the translated document is compliant with applicable French law. (Although data protection law is in theory harmonised across the EU, in practice there are differences.)

There are two alternative sections in the privacy policy dealing with data subject rights. The first is designed to help with compliance under the Data Protection Act 1998 (DPA), and should be used until the General Data Protection Regulation (GDRP) comes into force. The second is designed to help with the compliance under hte GDPR, and should be used after the GDPR comes into force. See the sections numbered 8.

The reason for including both sections is that a GDPR-compliant section would be non-compliant under the DPA, while a DPA-compliant section would be non-compliant under the GDPR. We will remove the DPA section from the template in mid-May.

If you didn't collect personal data and if you don't use cookies on your website, then you will have nothing to say in a privacy policy. However, as people can contact you, you do in fact collect personal data (which includes names, email addresses and so on). The website may also collect personal information (which can include IP addresses).

With the GDPR, privacy policy templates almost always need heavy adaptation to fit with the particular way in which a business (acting as data controller) processes personal information. I can't really give a sensible answer to the question of "which one" without knowing much more about the website, and what you do with personal data - in practice I would need to take you on as a client to give useful guidance here.

Thank you for all the great templates and free stuff you have on your site. You have answered lots of my questions just on this blog here. Very helpful. I will need the website privacy policy when I upgrade later in the year but for now I just need a basic privacy policy which covers the collection of contact details for written records and email newsletters. I've been to the ICO website to find a template but its a very complicated site and haven't managed to locate one on there. Your information is so much clearer and easier to navigate.

I was wondering if the template would serve for my purposes. I will only collect very basic personal information (name, email address) and use that information for follow-up purposes, etcetera. Obviously I will use cookies. I would appreciate any advice. Thank you!

Templates are merely tools, and always and to be adapted. So, if you adapt the document appropriately, it will serve your purposes. I appreciate that this isn't very useful guidance. However, in order to assess whether a document is helping a business to comply with the law I would need to: (i) know a good deal about the business; and (ii) see the final version of the document, post editing. This is not a service I can provide alongside the templates.

Hi, I had started a book promo business, but deleted it, when I heard about the privacy policy. I don't have any money (long story) and it's the only way for me to make any. It will be awhile before I can afford a business license. I'm only collecting emails and using PayPal for payment. Do I really need a privacy policy? Is a free template enough? Thanks, I miss the old days ... lolsighs.

To the extent that the business will operate under English or other EU law, then yes you do need a privacy policy or similar notice. However templates - free or otherwise - cannot guarantee compliance, and always need some level of adaptation.

I'm looking for a privacy policy to put on a radio club website. Can we use one from yours, without paying, and without having the atribution? Spending £10 for a business is nothing, but for us, it would be around 12% of our annual income.

I don't have anything shorter right now, although it is on the list. If you go over to https://docular.net you can get access to this template through the Docular online editor, which makes removing unwanted material very easy.

Thanks so much for this policy! I’ve updated it for my business and have now published it on my website, which I’d dreaded doing as I didn’t know where to even start. The notes were a huge help too, so clear and informative - I’m not a lawyer but I was able to follow them easily.

Hello, I am starting an on-line store selling food supplement products based in the UK but selling in other EU countries as well. Which policy documents available here do I need to put on my website? There are quite a few versions so I am a bit confused. Thank you!

Typically, an online store will need at a minimum: (i) T&Cs of sale, to govern the contract of sale itself; (ii) T&Cs of use, to govern the relationship between the website operator and users, who may or may not be purchasing goods; and (iii) a privacy and cookies policy, to help with disclosures relating to data protection law.

Whilst we don't currently have a free version of (i) on this website, you can find free versions of all three documents on our Docular website: https://docular.net

I understand. However, I would appreciate if you gave me a link to specific versions, especially of (i) as there are a few I can see on docular.net with different prices. Which one would be the most suitable for my on-line store? I assume the food supplements do not require any specific clauses that other products don't have? Thanks so much again!